Claroty researchers in 2020 conducted an extensive analysis of the OPC network protocol prevalent in OT networks worldwide. During that research, Claroty found and privately disclosed critical vulnerabilities in OPC implementations from a number of leading vendors that have built their respective products on top of the protocol stack. The affected vendors sell these products to companies operating in many industries within the ICS domain.
The vulnerabilities discovered by Claroty could be exploited to cause a denial-of-service condition on devices operating on industrial networks, as well as information leaks, and remote code execution. Our research identified weak spots in different OPC specification implementations within different components of the OPC architecture. These components include the OPC server, OPC gateway, and a third-party library implementation of the OPC protocol stack
In this report, we will explain the OPC protocol in depth, its architecture, and common usage in order to gain a deeper understanding of the impact of these vulnerabilities. We will also describe the vulnerabilities we uncovered, and explain the potential threat posed by attackers who exploit these vulnerabilities to take over OPC servers and gateways, and potentially harm manufacturing facilities and production lines.
CWE-79 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING')
The affected product is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later.
CVSS v3: 9.8
CWE-787 OUT-OF-BOUNDS WRITE
The affected product is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 7.6
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 9.8
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later.
CVSS v3: 9.8
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.
Zenitel recommends users to upgrade to Version 9.3.3.0 or later
CVSS v3: 9.8
